lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: aliver at xexil.com (aliver@...il.com)
Subject: consumer "rights" vs real innocents

	Here is another item for discussion. What "rights" do software
consumers really have? I'm not a lawyer, so I won't presume to address
this from a legal perspective, but a moral one.
	Some people seem to think that no matter how ignorant a person is,
that they should be shielded from the malice or ignorance of others. I'm
not so sure about this. It begs the question, "is there a corrupt consumer
public?" From observation, I'd say that there is. Most people buy MS
products based on product image and the promise of quick gratification.
For the most part they intransigently refuse to educate themselves. There
is also a large group of people who continue to use software even after it
proves to be dangerous. I worked for a company of about 13,000 people who
continued to use MS Exchange + Outlook Express (in 2000) who got hit by
the first generation of abook worms so many times that their mail servers
were down for over 3 weeks during that year. Just plain stupid.
	Another point on this topic is that the public often supports
companies who are, themselves, corrupt. They support MSFT who has pretty
much succeeded in undermining some of the basic precepts of democracy and
capitalism. Jefferson said "a fair field with no favors" and the Sherman
anti-trust laws attempted to create a statute supporting that. MSFT
through lobbying and careful manipulation continues to undermine not only
the industry, but our actual country. They attempt to directly undermine
smaller companies or efforts like Linux who might produce better products,
rather than improve their own products to compete. The public, and our
government turns a blind eye to this. They continue to buy their products
for such trivial reasons as the fact that MSFT used the Rolling Stones in
an advertising campaign. All this despite the ease of observation that
they are a corrupt, and militant monopoly.
	I've read the Zarcadian position of the "hacker paladin". I find
it fascinating, but also I think it's important to point out that they
advocate protecting innocents, and draw some parallels to medieval serfs
who were being victimized by greedy land barons, or simple bandits.
However, there are some critical differences in many of the cases which we
have been recently considering. First off, if a serf didn't pay his taxes
to the provincial lord, or give his last gold piece to the bandit with
notched arrow, then he was as good as dead. Today's consumers aren't in
the same sort of plight. They have a choice where to spend their money,
and they often make the wrong choice, for selfish or ignorant reasons. If
they are subsequently victimized repeatedly by, say Microsoft + Outlook
Express, then they share some of the blame in their fate. For whitehats to
tell me that I've got to protect these types of people from (ultimately)
themselves, is pretty aggravating.
	However, I'm not saying that the Zarcadian position is entirely
flawed. In fact, quite the opposite. I stick by my assertion that exploits
and "toolz" are something akin to weapons. Now, the "Templars" have a
choice. Do you turn your weapons over to corrupt vendor, or make your
tactics known to the corrupt public? NO. That'd render them useless. Why
not use them to fight some meaningful battles against a truly evil enemy?
Examples (IMO) include corrupt 3rd world governments, greedy corporatist
who undermine our government, or pedophiles.
	If _you_ want to release your tools, exploits, or bug information
to the public, fine. However, don't come to me with an attitude about how
I'm cheating the poor, innocent public or altruistic corporation out of
some badly needed security info. I work for myself, not for them, and the
fruits of my labor are going to be used for my own purposes. Take your
idiotic RFC's about the "right" way to release vulnerability info, and
shove it. I've seen your brand of "ethics" at work, and I'm not impressed.

aliver

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ